Paths

Web Application Security

Web application security encompasses the security methods applied to websites, web applications, and web services. In this series you’ll learn how to develop and maintain secure web applications by applying security principles and techniques. This series includes secure coding best practices with coverage of the 2017 OWASP Top 10 web application risks.
... Read moreRead less

What you will learn

Web security patterns

HTTPS fundamentals

Browser security headers and reporting

2017 OWASP Top 10 web application risks

Secure account management best practices

Cryptography fundamentals

Pre-requisites

This path is intended for developers interested in learning secure web application development
practices and techniques and assumes viewers have a solid understanding of programming. This path is
language-agnostic and suited for any web application developer regardless of your language of choice.

Beginner

Begin with an overview of concepts fundamental to web application security.

Play by Play: Modern Web Security Patterns

Description

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: Modern Web Security Patterns, Troy Hunt and Lars Klint investigate current security web approaches and trends with real world examples, and then dive into how these incidents and errors can be fixed with easy to use techniques. Learn how subresource integrity checking can validate assets, content security policies in action and learn how to configure them, and get crucial knowledge on how important HTTPS is and some of the tools you can use to test your site. By the end of this course, you’ll have all the tools you need to learn about how you can secure your web assets, with the Modern Web Security Standards.

Table of contents

Course Overview

Current Issues of Web Development Security

Subresource Integrity Checking and Content Security Policies

Improving and Testing HTTPS

Improving The Communication

What Every Developer Must Know About HTTPS

Description

Securing the transport layer of any application talking over the web is becoming an absolutely essential attribute of modern software. However, HTTPS is frequently not implemented due to perceived (rather than actual) barriers and when it is, it's often done poorly. Not only that, but many modern browser features that can help streamline secure communications (and actually make it more efficient and resilient) are rarely used. In this course, What Every Developer Must Know About HTTPS, you will learn all about why you need HTTPS. First, you'll learn the many positive things that HTTPS does. Next, you'll learn about what many people perceive as barriers to HTTP adoption. Finally, you'll spend some time exploring some topics that go outside of the the basics of HTTPS. By the end of this course, you'll have a fundamental knowledge to both implement HTTPS properly from the outset and retrofit it to existing applications.

Table of contents

Course Overview

The HTTPS Value Proposition

HTTPS Fundamentals

Securing the Application

Overcoming (Perceived) Barriers to HTTPS

Beyond the Basics

Introduction to Browser Security Headers

Description

Security is all about defense in depth: applying layer upon layer of security controls such that any one single failure does not lead to a compromise of the application. One of those layers is the browser itself, which is becoming increasingly intelligent when it comes to implementing defenses. Security headers are a way of telling the browser how a website may behave when it’s loaded into the client. They provide numerous defenses against a variety of attacks in ways that have not previously been possible with security controls that ran solely on the server. In this course, we’ll walk through a number of essential security headers that provide even greater levels of defense for web applications. We’ll look at how they’re intended to work, what attacks they protect against, and how you can easily implement them in your website.

Table of contents

Understanding Browser Security Headers

HTTP Strict Transport Security (HSTS)

HTTP Public Key Pinning (HPKP)

Content Security Policy (CSP)

Tools for Working with Browser Headers

Modern Browser Security Reports

Description

In this course, Modern Browser Security Reports, Troy Hunt and Scott Helme discuss how browsers have evolved in recent years to provide a range of new security constructs and increasingly involve the ability to report back to site owners when something unexpected of a security nature occurs. Learn the features of content security policies, HTTP public key pinning, certificate authority authorization, certificate transparency, and cross-site scripting reporting. By the end of this course, you’ll be able to implement browser security reporting features on any website.

Table of contents

Course Overview

Importance of Browser Security Reporting

Content Security Policies (CSP) Reporting

HTTP Public Key Pinning Reporting

Certificate Authority Authorization (CAA) Reporting

Certificate Transparency (CT) Reporting

Cross-site Scripting (XSS) Reporting

Wrap-up

Intermediate

Next, explore the 2017 OWASP Top 10 web application risks, and learn how these risks are exploited and
conversely how to prevent introducing them into your application.

Play by Play: OWASP Top 10 2017

Description

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: OWASP Top 10 2017, Troy Hunt and Andrew van der Stock discuss the methodology used to construct the 2017 version of the OWASP Top 10. You’ll learn how the analysis of the data collected resulted in a reordering of the risks from the 2013 version, the inclusion of new risks, and the demotion of some risks that were included in previous versions. By the end of this course, you’ll be familiar with each risk and understand how best to use the 2017 OWASP Top 10.

Table of contents

Course Overview

Introduction

The OWASP Top 10 2017

The Missing Risks and the Big Picture

Hack Yourself First: How to go on the Cyber-Offense

Description

The prevalence of online attacks against websites has accelerated quickly in recent years and the same risks continue to be readily exploited. However, these are very often easily identified directly within the browser; it's just a matter of understanding the vulnerable patterns to look for. This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks â€“ this is how they go about it. This approach is more reflective of the real online threat than reviewing source code is and it empowers developers to begin immediately assessing their applications even when they're running in a live environment without access to the source. After all, that's what online attackers are doing.

Table of contents

Introduction

Transport Layer Protection

Cross Site Scripting (XSS)

Cookies

Internal Implementation Disclosure

Parameter Tampering

SQL Injection

Cross Site Attacks

Account Management

Secure Coding: Preventing Sensitive Data Exposure

Description

Would you like the ability to recognize what is needed to make a web application properly manage sensitive data and prevent it from unintended exposure? This course, Secure Coding: Preventing Sensitive Data Exposure, will show you the knowledge that is based on the recommendations set by the Open Web Application Security Project (or OWASP in short). First, you will learn how to think of sensitive data and what constitutes sensitive data. Next, you will discover TLS; the protocol to protect sensitive data transmitted between a web browser and web application and the different facilities it provides to enable this protection. Finally, you will explore how to properly manage user passwords stored in a database. When you’re finished with this course, you will have the knowledge of preventing sensitive data exposure needed to effectively and efficiently apply them in your own Web applications.

Description

The OWASP Top 10 2017 contains a new entry; XML External Entities (XXE). As not many people know what this vulnerability is, it can be difficult to prevent against. In this course, Secure Coding: Identifying and Mitigating XML External Entity (XXE) Vulnerabilities, you will learn what this vulnerability is, how it ended up in the latest OWASP Top 10, how you can identify it in your code, and how to protect against it. First, you will discover the impact of a successful XML External Entity attack. Next, you will explore how to identify risky parts in your code base. Finally, you will learn how to mitigate against vulnerabilities. By the end of this course, you will be familiar with the risk that XML External Entities pose.

Table of contents

Course Overview

Understanding the Dangers of XML External Entities (XXE)

Understanding XML External Entities (XXE) Injection and Expansion

Identifying Vulnerable Parts Within Existing Code

Mitigating XML External Entity (XXE) Vulnerabilities

Secure Coding: Preventing Broken Access Control

Description

Broken access controls can expose information and functionality in your service to unauthorized users and is currently one of the top vulnerabilities found in software. You need to understand those vulnerabilities in order to defend against potential attackers. In this course, Secure Coding: Preventing Broken Access Control, you will gain the ability to protect your code from access control vulnerabilities. First, you will learn to understand vulnerabilities and potential attacks against them. Next, you will discover some of the key principles associated with defensive code. Finally, you will explore how to write clean, readable, defensive code. When you are finished with this course, you will have the skills and knowledge needed to protect your code from access control vulnerabilities.

Table of contents

Course Overview

Defining Access Controls

Forced Browsing to Find Hidden Functionality

Traversing Directories for Unauthorized File Access

Manipulating Parameters to Alter Results

Finding Insecure Direct Object References (IDOR)

Guiding Principles for Access Controls

Secure Coding: Preventing Insecure Deserialization

Description

As a developer, it is important to be familiar with common vulnerabilities that are often encountered in web application. Insecure deserialization is one of those vulnerabilities, ranking 8th in the OWASP Top 10 2017. In this course, Secure Coding: Preventing Insecure Deserialization, you will learn how to properly defend yourself against that particular vulnerability First, you will learn about the basics of serialization and deserialization, and about the various serialization file formats. Next, you will discover what insecure deserialization actually is, and how it can be exploited: In order to fix the problem, you need to know what can go wrong. Finally you will explore how to properly prevent insecure deserialization in any development language or framework. By the end of this course, you will have the secure coding skills and knowledge needed to prevent insecure deserialization vulnerabilities from creeping into your application.

Table of contents

Course Overview

What Is Serialization and Deserialization?

Deserialization: How It Can Be Exploited

Insecure Patterns for Deserialization

How to Securely Implement Deserialization

Secure Coding: Using Components with Known Vulnerabilities

Description

Do you know if old components you are using are up to date, or contain published vulnerabilities? This course teaches you all about how to reduce the risk when using third-party components. First, you will learn about how to combine the abundance of open source software and component re-use. Next, you will discover how to achieve faster time to market with a plethora of languages, frameworks and package managers. Finally, you will learn about the patch management process. By the end of this course, you will know how to take a methodical approach towards reducing the risk, from installation and versioning all the way to virtual patching and software composition analysis.

Table of contents

Course Overview

Using Components with Known Vulnerabilities

Managing Unsupported or Out-of-date Commercial Software

Managing Bespoke Software That Uses Third Party Libraries

Patch Management Process

Secure Coding: Preventing Insufficient Logging and Monitoring

Description

It is extremely important for the security of your company to know what's currently happening to your application. This can be achieved by proper application logging and monitoring. In this course, Secure Coding: Preventing Insufficient Logging & Monitoring, you will learn what to think of when setting up logging and monitoring for applications. First, You will learn what is meant with the risk of insufficient logging and monitoring. Next, you'll explore what your application should and shouldn't log. Finally, you'll discover how to ensure and improve the quality of log files. When you're finished with this course, you'll have all the application logging and monitoring skills and knowledge needed to detect (future) security incidents on time.

Table of contents

Course Overview

Understanding Insufficient Logging and Monitoring

Determining What Applications Should and Should Not Log

Improving and Ensuring the Quality of Logfiles

Applying an Effective Monitoring Strategy

Advanced

Finally, dig into more advanced web application security concepts.

Secure Account Management Fundamentals

Description

A fundamental component of many modern day applications is the ability to create and manage user accounts. So many of the services we use every day as consumers and build as developers depend on the ability for customers to register, login, and then perform tasks under their identity. However, every day we see a barrage of attacks against poorly implemented account management facilities. These range from brute force attacks against the login to the impersonation of authenticated users, to the cracking of breached passwords. Often, weaknesses in account management facilities are simply due to the developers not having thought through the potential risks from a hacker's mindset. This course demonstrates how attackers think and exploit these weaknesses. There are numerous high-profile precedents including the celebrity iCloud photo hack, GitHub account attacks and Dropbox credential disclosure. In some of these cases, oversights in secure account management practices left systems unnecessarily vulnerable whilst in others, good practices undoubtedly mitigated the scale of the damage caused. This course regularly refers to real world examples – both good and bad – as a means of illustrating risks and the effectiveness of security controls.

Table of contents

Introduction

Fundamental Security Concepts

Password Storage

Registration

Logon

Remember Me

Account Details Change

Password Reset

Logoff

Additional Considerations

Cryptography Fundamentals for Developers and Security Professionals

Description

The Java and .NET frameworks contain all the algorithms you need to keep your users' data secret from prying eyes. Web servers like Apache, Tomcat, and IIS, combined with tools like OpenSSL, keep your users secure online. But to use these tools correctly, and to avoid mistakes of the past, you must understand how cryptography works. Learn the math behind encryption and digital signatures. Study examples of how it has been misused, and explore the possibilities that cryptography enables in digital currency and collaboration.

Table of contents

History of Cryptography

Algorithms

APIs

Transport Layer Security

Authentication and Authorization

Case Studies

Decentralized Systems

Batch Offer Codes

Be sure to only enter offer codes separated by line breaks and does not include commas.

Opt in for the latest promotions and events. You may unsubscribe at any time. Privacy Policy

By providing my phone number to Pluralsight and toggling this feature on, I agree and acknowledge that Pluralsight may use that number to contact me for marketing purposes, including using autodialed or pre-recorded calls and text messages. I understand that consent is not required as a condition of purchase from Pluralsight.